diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index a36a9657..0f59f8fb 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -54,6 +54,17 @@
     };
   };
 
+  # Use SSH tunnel to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host bscpm04.bsc.es gitlab-internal.bsc.es knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host raccoon
+      HostName knights3.bsc.es
+      ProxyCommand nc -X connect -x localhost:23080 %h %p
+    Host tent
+      ProxyJump raccoon
+  '';
+
   # Use tent for cache
   nix.settings = {
     extra-substituters = [ "https://jungle.bsc.es/cache" ];
diff --git a/m/common/ssf.nix b/m/common/ssf.nix
index 60fbb044..8e8dc6b4 100644
--- a/m/common/ssf.nix
+++ b/m/common/ssf.nix
@@ -3,7 +3,8 @@
   imports = [
     ./xeon.nix
     ./ssf/fs.nix
-    ./ssf/net.nix
     ./ssf/hosts.nix
+    ./ssf/net.nix
+    ./ssf/ssh.nix
   ];
 }
diff --git a/m/common/ssf/ssh.nix b/m/common/ssf/ssh.nix
new file mode 100644
index 00000000..b73abd79
--- /dev/null
+++ b/m/common/ssf/ssh.nix
@@ -0,0 +1,16 @@
+{
+  # Use SSH tunnel to apex to reach internal hosts
+  programs.ssh.extraConfig = ''
+    Host tent
+      ProxyJump raccoon
+
+    # Access raccoon via the HTTP proxy
+    Host raccoon knights3.bsc.es
+      HostName knights3.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+
+    # Make sure we can reach gitlab even if we don't have SSH access to raccoon
+    Host bscpm04.bsc.es gitlab-internal.bsc.es
+      ProxyCommand=ssh apex 'nc -X connect -x localhost:23080 %h %p'
+  '';
+}